Many computer applications rely at least partially on access to remote services to implement a portion of their functionality. For example, an application running on a computer system may submit service requests to remote services such as storage services, backup services, key management services, and cloud-computing services. The service requests are authenticated and authorized using credentials. The credentials are issued to the application by the provider of the remote service, and grant access rights that are necessary to fulfill the service requests. Some applications are comprised of a plurality of processes, and different processes may access a different set of remote services in different ways. If a number of processes require different access rights, the credentials provided by the remote service provider to the application may grant the union of the required access rights. This may result in some processes receiving access rights that are greater than what is necessary.
This can be particularly problematic if the processes have very different or conflicting access requirements. For example, a first process may require access to a storage volume owned by a first customer, while a second process may need to be denied access to the storage volume owned by the first customer. In another example, a first process may require administrative access privileges, whereas a second process may require only minimal access rights. If credentials are issued on a per-application or per-host basis, many processes may be forced to share the same access rights and privileges, creating an unnecessary security risk. Therefore, adjusting the credentials that are supplied to each process is an important problem.